CVE-2011-4828
published 2011-12-15CVE-2011-4828: Unrestricted file upload vulnerability in includes/inline_image_upload.php in AutoSec Tools V-CMS 1.0 allows remote attackers to execute arbitrary code by…
PriorityP273high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
65.48%
99.2th percentile
Unrestricted file upload vulnerability in includes/inline_image_upload.php in AutoSec Tools V-CMS 1.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in temp/.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| autosectools | v-cms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to includes/inline_image_upload.php containing multipart/form-data with a PHP (or other executable) file extension in the filename field. ↗
- →Alert on GET requests to the temp/ directory of a V-CMS installation immediately following a POST to inline_image_upload.php, as this is the two-stage upload-then-execute pattern used by the exploit. ↗
- →Fingerprint V-CMS 1.0 installations by matching the response body pattern /V\-CMS v1\.[0-1]/ in HTTP responses, as used by the Metasploit check method. ↗
- →Flag multipart POST requests to inline_image_upload.php using the static boundary value '----x', which is hardcoded in the public Metasploit exploit. ↗
- ·V-CMS 1.1 added extension whitelisting (jpg, jpeg, png, gif, bmp), but the Metasploit module notes that uploading a PHP payload disguised with one of those extensions may still be exploitable depending on server configuration (e.g., Apache mod_mime double-extension handling). ↗
- ·The default TARGETURI for the Metasploit module is '/vcms/', so detection rules scoped only to the root path may miss deployments at this sub-path. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
V-CMS - Arbitrary '.PHP' File Upload / Execution (Metasploit)
exploitdb·2012-04-14
CVE-2011-4828 V-CMS - Arbitrary '.PHP' File Upload / Execution (Metasploit)
V-CMS - Arbitrary '.PHP' File Upload / Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "V-CMS PHP File Upload and Execute",
'Description' => %q{
This module exploits a vulnerability found on V-CMS's inline image upload feature.
The problem is due to the inline_image_upload.php file not checking the file type
before saving it on the web server. This allows any malicious user to upload a
script (such as PHP) without authentication, and then execute it with a GET request.
The issue is fixed in 1.1 by checking the extensi
Metasploit
V-CMS PHP File Upload and Execute
metasploit
V-CMS PHP File Upload and Execute
V-CMS PHP File Upload and Execute
This module exploits a vulnerability found on V-CMS's inline image upload feature. The problem is due to the inline_image_upload.php file not checking the file type before saving it on the web server. This allows any malicious user to upload a script (such as PHP) without authentication, and then execute it with a GET request. The issue is fixed in 1.1 by checking the extension name. By default, 1.1 only allows jpg, jpeg, png, gif, bmp, but it is still possible to upload a PHP file as one of those extension names, which may still be leveraged in an attack.
No writeups or analysis indexed.
http://bugs.v-cms.org/changelog_page.phphttp://bugs.v-cms.org/view.php?id=53http://secunia.com/advisories/46861http://www.autosectools.com/Advisory/V-CMS-1.0-Arbitrary-Upload-236http://www.securityfocus.com/bid/50706http://bugs.v-cms.org/changelog_page.phphttp://bugs.v-cms.org/view.php?id=53http://secunia.com/advisories/46861http://www.autosectools.com/Advisory/V-CMS-1.0-Arbitrary-Upload-236http://www.securityfocus.com/bid/50706
2011-12-15
Published